---
kind: ServiceAccount
apiVersion: v1
metadata:
  name: application-sa
---
kind: Service
apiVersion: v1
metadata:
  name: nginx
spec:
  ports:
    - port: 80
      targetPort: 80
  selector:
    k8s-app: nginx

---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: nginx
  labels:
    k8s-app: nginx
spec:
  replicas: 2
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      k8s-app: nginx
  template:
    metadata:
      labels:
        k8s-app: nginx
    spec:
      #### Добавлен для работы vault
      serviceAccountName: application-sa
      shareProcessNamespace: true
      volumes:
        - name: config-template
          configMap:
            name: nginx
        - name: vault-agent-configs
          configMap:
            name: vault-agent-configs
        - name: config
          emptyDir:
            medium: Memory
      initContainers:
        - name: init-config
          image: vault:1.9.3
          imagePullPolicy: IfNotPresent
          securityContext:
            runAsUser: 101
            runAsNonRoot: true
            capabilities:
              add:
                - IPC_LOCK
          args:
            - "agent"
            - "-config=/etc/vault/config/vault-agent-init.hcl"
          env:
            - name: SKIP_SETCAP
              value: 'true'
          volumeMounts:
          - mountPath: /etc/vault/config
            name: vault-agent-configs
          - mountPath: /etc/vault/config/template/
            name: config-template
          - mountPath: /etc/vault/config/render/
            name: config
      containers:
        - name: nginx
          image: nginx:1.21.6-alpine
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 80
              name: http
          resources:
            limits:
              cpu: "0.2"
              memory: "400Mi"
            requests:
              cpu: "0.1"
              memory: "200Mi"
          volumeMounts:
            - name: config
              mountPath: /usr/share/nginx/html
        - name: vault-agent-rerender
          image: vault:1.9.3
          imagePullPolicy: IfNotPresent
          securityContext:
            runAsUser: 101
            runAsNonRoot: true
            allowPrivilegeEscalation: false
            capabilities:
              add:
                - IPC_LOCK
                - SYS_PTRACE
          args:
            - "agent"
            - "-config=/etc/vault/config/vault-agent-reload.hcl"
          env:
            - name: SKIP_SETCAP
              value: 'true'
          volumeMounts:
          - mountPath: /etc/vault/config
            name: vault-agent-configs
          - mountPath: /etc/vault/config/template/
            name: config-template
          - mountPath: /etc/vault/config/render/
            name: config